New Security Features in Oracle E-Business Suite 12.2

Similar documents
Going Without CPU Patches on Oracle E-Business Suite 11i?

New Oracle EBS Security Features You Can Use Now

Oracle E-Business Suite and Java Security What You Need to Know

Hidden Security Threats in Oracle E-Business Suite

PeopleSoft - Top 10 Security Risks

WebLogic Security Top Ten

Integrigy Consulting Overview

Oracle Database Logging and Auditing

mission critical applications mission critical security Oracle Critical Patch Update October 2011 E-Business Suite Impact

Hacking an Oracle Database and How to Prevent It

Oracle E-Business Suite R12.2 Administration

mission critical applications mission critical security Oracle Critical Patch Update July 2011 E-Business Suite Impact

E-Business Suite 12.2 Configuration Management II

Oracle Critical Patch Updates: Insight and Understanding. Stephen Kost Integrigy Corporation

Securing Oracle 12 Multitenant Pluggable Databases

mission critical applications mission critical security Oracle Critical Patch Update July 2011 Oracle Database Impact

PCI Compliance in Oracle E-Business Suite

mission critical applications mission critical security Oracle Critical Patch Update October 2011 Oracle Database Impact

<Insert Picture Here> The Latest E-Business Suite R12.x OA Framework Rich User Interface Enhancements

OAUG Webinar: E-Business Suite New Oracle ADClone 12.2 Options. Oracle E-Business 11i/12.1/12.2 Six Easy Steps -- Now Three Easy Steps

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved.

E-Business Suite 11i Upgrade to and A Technical Comparison

Excel4apps Wands 5 Architecture Excel4apps Inc.

ORACLE E-BUSINESS SUITE RELEASE CONTENT DOCUMENT

Oracle E-Business Suite Certified with Oracle Database Vault Certification Overview

Real World Database Auditing. Stephen Kost Integrigy Corporation Session # 602

McAfee Database Security

<Insert Picture Here> Oracle Application Framework (OAF): Architecture, Personalization, and Extensibility in Oracle E-Business Suite Release 12

Oracle E-Business Suite(R12.2) Troubleshooting

Oracle Applications OAF, MSCA, MA and ADF. May 06, 2011

Release 12 Java Infrastructure. Brian Bent April 17, 2008

Oracle E-Business Suite 12.2 Administration

More4Apps Mobile - Installation and Configuration Guide

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Oracle Database Vault and Applications Unlimited Certification Overview

Author A.Kishore Upgrade Oracle Applications from to R12

Question No : 1 Which three are the correct definitions of the objects in the Oracle Applications database?(choose three.)

Oracle WebLogic Server 11g: Administration Essentials

WHITE PAPER. Automate Reconciliation of Ticket Numbers Using Client Id in Oracle Database Audit Streams

Oracle E-Business Suite Release 11i and Release 12 A Study in Contrasts. Brian Bent April 17, 2008

Oracle WebLogic Server Management and Operations in Oracle E-Business Suite 12.2

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

SERVICE CATALOG. Find more information here RDX.com /

I, J, K. Lightweight directory access protocol (LDAP), 162

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Staged APPL_TOP approach - Key to achieve tolerable downtime for Oracle Apps migrations

Security Principles in ERP Systems

Oracle Developer Day

Oracle Identity Manager 11gR2-PS2 Hands-on Workshop Tech Deep Dive Upgrade

CompTIA SY CompTIA Security+

Cloning Methods for E-Business Suite 12.1 and 12.2

epldt Web Builder Security March 2017

MAKING THE BUSINESS CASE MOVING ORACLE FORMS TO THE WEB

Fusion Applications: Redefining the Technology Stack

Automate the Lifecycle of IT

Implementing security from the inside out in a PeopleSoft environment System hardening with reference to the additional concern for insider threat

Oracle E-Business Suite

An Oracle White Paper September Security and the Oracle Database Cloud Service

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

ORACLE APPLICATIONS R12.2, EBR, ONLINE PATCHING - MEANS LOT OF WORK FOR DEVELOPERS. Ajith Narayanan 25 th Feb 2015, Bangalore, India

1 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Development Security Guide Oracle Banking Virtual Account Management Release July 2018

The Big Picture of the Release Upgrade. Mike Swing CTO TruTek

Release 12 Java Infrastructure

Oracle Security Products and Their Relationship to EBS. Presented By: Christopher Carriero

<Insert Picture Here>

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Don t get it right, just get it written.

X100 ARCHITECTURE REFERENCES:

Oracle 10g: Build J2EE Applications

Oracle Database Jdbc Developer's Guide And Reference 10g Release 2

Exam Name: Oracle 11i Install, Patch and Maintain Applications Exam Type: Oracle Exam Code: 1Z0-233 Total Questions: 116

InterCall Virtual Environments and Webcasting

R12 Upgrade Best Practices & Tips to Reduce Downtime

Deep Dive. Cloud Control 12c. Oracle Enterprise Manager ORACLG. Oracle Press. Michael New Edward Whalen Matthew Burke. London Madrid Mexico City Milan

2013 Oracle Corporation

Development Security Guide Oracle Banking Credit Facilities Process Management Release [July] [2018]

Technical Note: ACTIVE Governance Cloning

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP Access Policy Manager with IBM, Oracle, and Microsoft

Nolij Transfer 6 Migration Planning & Preparation. Danielle Whitney Services Product Manager

System Requirements for ConSol CM Version Architectural Overview

Oracle Audit Vault. Trust-but-Verify for Enterprise Databases. Tammy Bednar Sr. Principal Product Manager Oracle Database Security

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Access Policy Manager v with Oracle Access Manager

Twist and Turn to Upgrade 11i E-Business Suite from Windows 32-bit to Rel on Linux

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Oracle Secure Enterprise Search

Contents Overview... 5 Downloading Primavera Gateway... 5 Primavera Gateway On-Premises Installation Prerequisites... 6

Writing Servlets and JSPs p. 1 Writing a Servlet p. 1 Writing a JSP p. 7 Compiling a Servlet p. 10 Packaging Servlets and JSPs p.

Securing Apache Tomcat. AppSec DC November The OWASP Foundation

Prerequisites for Using Enterprise Manager with Your Primavera Applications

Masterclass: WebLogic Server for OAS Administrators

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

JAVA Training Overview (For Demo Classes Call Us )

Oracle Fusion Middleware 11g: Build Applications with ADF I

Project and Portfolio Management Center

Oracle ADF: The technology behind project fusion. Lynn Munsinger Principal Product Manager Application Development Tools Oracle Corporation

HP Instant Support Enterprise Edition (ISEE) Security overview

Table of Contents. Page 1 of 6 (Last updated 27 April 2017)

HPE Project and Portfolio Management Center

Oracle Healthcare Foundation

Transcription:

New Security Features in Oracle E-Business Suite 12.2 Session ID#: 14365 Stephen Kost Chief Technology Officer Integrigy Corporation REMINDER Check in on the COLLABORATE mobile app

About Integrigy ERP Applications Oracle E-Business Suite Databases Oracle and Microsoft SQL Server Products Services AppSentry ERP Application and Database Security Auditing Tool AppDefend Enterprise Application Firewall for the Oracle E-Business Suite Validates Security Protects Oracle EBS Verify Security Ensure Compliance Build Security Security Assessments ERP, Database, Sensitive Data, Pen Testing Compliance Assistance SOX, PCI, HIPAA Security Design Services Auditing, Encryption, DMZ You

Agenda Oracle EBS 12.2 Overview WebLogic Q&A 1 2 3 4 5 Application Security Web Security

Agenda Oracle EBS 12.2 Overview Weblogic Q&A 1 2 3 4 5 Application Security Web Security

Plans to Upgrade to 12.2? What is your organization's position on upgrading to R12.2? 0% 10% 20% 30% 40% 50% Plan to upgrade within 0-12 months 13% Plan to upgrade within 12-24 months 14% We do not plan to upgrade 12% We have not made a decision. 42% No Answer 18%

Oracle 12.2 Architecture Simplified Oracle Fusion Middleware 11g WebLogic Server Client Browser https Oracle HTTP Server = Apache 2.0 WebLogic JSP UIX 11g BC4J APPS Oracle 11gR2 Database BI Publisher 10.1.2 Forms 10.1.2 In 12.2, Oracle Application Server 10g is replaced with Oracle Fusion Middleware 11g, which includes WebLogic Server. All control and management is done using the Oracle Fusion Middleware control.

12.2 Online Patching Oracle E-Business Suite 12.2 environment has become much more complex with on-line patching. Database uses Edition-Based Redefinition and two full installs of the application server stack. Run Install EBSapps -> 10.1.2 3 Stop Run and make Patch the new Run Patch Install EBSapps -> 10.1.2 EBSapps -> APPL_TOP EBSapps -> COMMON_TOP Oracle 11gR2 Database 2 EBSapps -> APPL_TOP EBSapps -> COMMON_TOP FMW_Home Edition-Based Redefinition FMW_Home INST_TOP INST_TOP 4 Synchronize Run and Patch for next time 1 Patches applied to the Patch Install

12.2 AutoConfig Impact Configuration Changes Fusion Middleware Control WLS Administration Console Oracle Application Manager & Autoconfig Database Home SID name, Listener, dbports, etc Oracle HTTP Server Performance directives, log configuration, ports, mod_perl, mod_wl_ohs, etc. WebLogic Server oacore, oafm, forms and forms-c4ws services Classpath and JVM arguments for oacore E-Business Suite Concurrent Processing, Profile Options, Developer 10g, Product Specific Settings

Agenda Oracle EBS 12.2 Overview Weblogic Q&A 1 2 3 4 5 Application Security Web Security

Flexfield Value Set Security Who can view, insert, or update values for a particular value set in the Segment Values form Adds segregation of duties to maintenance of flexfield value sets Enabled by default Access must be explicitly granted Access can be based on user, responsibility, role, application, or operating unit

Flexfield Value Set Security Example Improve segregation of duties by allowing (1) certain users to only view or insert values for Account Flexfields and no other value sets, (2) certain users to only view or insert values for any HR application, and (3) certain users to only view or insert values for a specific operating unit. Roles and responsibilities are also supported. GL Super Users System Administrator Responsibility HR Super Users Accounting Flexfield FND Value Sets HR Flexfield Value Sets

Flexfield Value Set Security Additional Patches Required Requires the mandatory Patch 17305947:R12.FND.C Additional Setup Required All values sets locked upon install or upgrade until setup completed Release 12.2 Flexfield Value Set Security Documentation Update for Patch 17305947:R12.FND.C (MOS Note ID 1589204.1) MOS Note supersedes 12.2 Flexfields Guide

Allowed JSP Lists A whitelist of allowed JSP pages. Basically is DMZ URL Firewall for internal access. Oracle 12.2 Application Server Java Server Pages (JSP) 16,078 JSP pages OA Framework (OA.jsp) 11,600 pages Client Browser https Apache OC4J Core Servlets 30 servlet classes APPS Database Web Services Servlets 70 servlet classes Oracle Forms 3,000 forms

Allowed JSP Lists Explicit list of allowed JSP pages Limits access to unused JSP pages for modules not configured or licensed Must be manually enabled See the Oracle EBS Security Guide manual for instructions on usage

Allowed JSP Lists Allowed JSP Lists disabled by default New profile option to allow for disabling of Allow JSP Lists Profile Option Name Description Allow Unrestricted JSP Access (FND_SEC_ALLOW_JSP_UNRESTRICTED_ACCESS) Set at Site or Server Level Yes Allow all JSPs (default) No Use Allowed JSP Lists

allowed_jsps.conf # $Header: allowed_jsps.conf 120.0.12020000.3 2013/06/11 21:37:29 srveerar noship $ /OA_HTML/AppsLocalLogin.jsp /OA_HTML/cabo/jsps/a.jsp /OA_HTML/cabo/jsps/frameRedirect.jsp /OA_HTML/fndgfm.jsp /OA_HTML/jsp/fnd/close.jsp /OA_HTML/jsp/fnd/fnderror.jsp /OA_HTML/OADownload.jsp /OA_HTML/OAErrorDetailPage.jsp /OA_HTML/OAErrorPage.jsp /OA_HTML/OAExport.jsp /OA_HTML/OA.jsp /OA_HTML/OALogout.jsp /OA_HTML/OARegion.jsp /OA_HTML/RF.jsp /OA_HTML/GWY.jsp /OA_HTML/runforms.jsp /OA_HTML/xdo_doc_display.jsp /OA_HTML/OAD.jsp /OA_HTML/OAP.jsp include allowed_jsps_fin.conf include allowed_jsps_hr.conf include allowed_jsps_leasing.conf include allowed_jsps_procurement.conf include allowed_jsps_scm.conf include allowed_jsps_crm.conf include allowed_jsps_vcp.conf include allowed_jsps_diag_tests.conf

Default Passwords Fresh Install Of 191 database accounts, only default password is APPLSYSPUB/PUB Sets Weblogic control password Sets APPS and APPLSYS passwords Sets SYS, SYSTEM, CTXSYS, OUTLN, and 9 other standard database account passwords Sets accounts for all EBS product schemas 161 total accounts

Default Passwords Upgrade New database accounts will be added during the database upgrade for new application modules based on from what version you are upgrading from. Be sure to check these accounts for default passwords. Version Upgrade From New Database Accounts 11.5.10 XLE ASN FUN FPA ZX LNS IA XDO 12.0.0 JMF GMO IBW IPM DNA 12.0.4 IZU 12.1.0 RRS DPP MTH QPR DDR INL 12.2.2 GHG APPS_NE

Agenda Oracle EBS 12.2 Overview Weblogic Q&A 1 2 3 4 5 Application Security Web Security

WebLogic/Fusion Middleware Control Demonstration

Agenda Oracle EBS 12.2 Overview Weblogic Q&A 1 2 3 4 5 Application Security Web Security

Clickjacking Protection Frame Busting Provides protection against clickjacking by disallowing OA Framework pages from being embedded into frames from third-party sites Enabled by default Profile Option Name Description FND: Disable Frame Busting (FND_DISABLE_FRAME_BUSTING) Set at Site or Server Level True Disable frame busting False Use frame busting (default)

Clickjacking Protection X-Frame-Options HTTP response header Now enabled for all Oracle EBS web pages and configured in the Apache httpd.conf Enabled by default

Attachment Virus Scanning Enhanced virus scanning of all attachments and file uploads Limited to Symantec server Can be enabled or disabled at site, responsibility, application or user level with FND: Disable Virus Scan OA Framework customizations can selectively enable or disable virus scanning Virus scanning should be utilized when implementing irecruitment or isupplier

Additional Web Application Security Cookie Domains Protects the Oracle EBS session cookie from webbased attacks Set to domain by default in profile option ICX_SESSION_COOKIE_DOMAIN Cross-site Scripting (XSS) Protections Check file uploads and attachments for XSS XSS checking in Messaging Rich Text Editor Use AntiSamy library for XSS filtering

Security Concerns Delivery Manager report output Send reports to EBS users through e-mail Upload reports to an FTP server Save reports to the local file system of the EBS application tier SOA and Web Services (REST) Do your DBA and security teams understand web services and how to properly secure them?

Security Concerns Encrypted vs. Non-Reversible Hashed Application Passwords Default for EBS application accounts is still encrypted passwords vs. non-reversible hashed passwords

Agenda Oracle EBS 12.2 Overview Weblogic Q&A 1 2 3 4 5 Application Security Web Security

References Database Initialization Parameters for Oracle E- Business Suite Release 12 (Doc ID 396009.1) Oracle E-Business Suite Product Specific Release Notes, Release 12.2.2 (Doc ID 1585844.1) Oracle Application Framework Profile Options Release 12.2 (Doc ID 1373537.1)

Contact Information Stephen Kost Chief Technology Officer Integrigy Corporation web: www.integrigy.com e-mail: info@integrigy.com blog: integrigy.com/oracle-security-blog youtube: youtube.com/integrigy Copyright 2014 Integrigy Corporation. All rights reserved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback